[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016)

Dean Coclin Dean_Coclin at symantec.com
Mon Oct 19 13:08:07 MST 2015 

Sorry, allow me to clarify:

 

On #1, I wouldn’t refer to them as “proponents of SHA-1 certificates” as that’s not what they are. They are organizations that are having trouble replacing all their SHA-1 certificates by Jan 1, 2016. I think your statement in #2 below reflects their question. And specifically the threat model to new issuance that expire on the same date as current SHA-1 certificates.

 

On #2, yes, apparently there are several use cases (large deployments) of publicly trusted TLS certificates that are not used within browser environments and in which upgrading to SHA-2 requires additional time to change out hardware, software, etc. 

 

I hope that provides some clarity. 

 

Dean

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Monday, October 19, 2015 3:57 PM
To: Dean Coclin
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016)

 

 

 

On Mon, Oct 19, 2015 at 12:48 PM, Dean Coclin <Dean_Coclin at symantec.com> wrote:

Despite this latest news and the withdrawal of the current ballot, I have
heard increasing calls from very large enterprises (Fortune 50) and
Governments that state the issue previously described, that is, the problem
in replacing high numbers of SHA1 certs before Dec 31 2015, doesn't go away.

Two issues which they feel have not adequately been described in threat
models:

1. The prohibition of issuing SHA1 certs after Dec 31, 2015 that still
expire by the existing deadline (Dec 31, 2016).

 

I'm not sure I follow what you're requesting here. I can see several ways of interpreting this:

 

1) Proponents of SHA-1 certificates do not feel they adequately understand why such issuance is prohibited beginning Jan 1, 2016.

2) Proponents of SHA-1 certificates do not feel they adequately understand why such issuance is prohibited beginning Jan 1, 2016 when existing certificates are allowed to have validity periods carrying on past that date.

3) Other

 

Could you clarify?

 

2. The prohibition of issuing non-browser based SHA-1 certs beyond Dec 31,
2015.  This appears to be a huge issue, the scope of which is still being
quantified. (Some may say that they shouldn't have been issuing from public
roots but this started way before the CA/B Forum)

 

To make sure I understand, is it fair to restate this as "Proponents of SHA-1 issuance do not understand why it is prohibited beginning Jan 1, 2016 for certificates that are used for SSL/TLS but not used within browser environments"? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151019/7c1174b4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20151019/7c1174b4/attachment-0001.bin

More information about the Public mailing list